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A METHOD AND A SYSTEM FOR RESPONDING TO A REQUEST FOR 
ACCESS TO AN APPLICATION SERVICE 



Technical Field 

The present invention relates to a method and a 
server for responding to a request for access to an 
5 application service, which service is deployed in a 

system that associates specific areas of a position coded 
surface with corresponding application services. 

Background of the Invention 

10 The applicant of the present invention has developed 

a system infrastructure in which use is made of products 
having writing surfaces that are provided with a position 
code. Digital devices, preferably in the form of digital 
pens, are used for writing on the writing surface while 

15 at the same time being able to detect positions of the 
position coded surface. The digital device detects the 
position code by means of a sensor and calculates 
positions corresponding to written pen strokes. 

An area of the position code, such as an area 

20 associated with a product, typically has one or more 

activation icons, also known as magic boxes, which, when 
detected by the digital device, cause the pen to initiate 
a respective predetermined operation which utilises the 
information recorded by the device from the position 

25 coded surface. 

More specifically, the position-coded surface has a 
built-in functionality, in that different positions on a 
confined area of the surface on a product, such as 
positions within the activation icon and positions within 

30 the writing surface, are dedicated for different 

functions. The position code is capable of coding co- 
ordinates of a large number of positions, much larger 
than the number of necessary positions on a surface area 
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of one single product. Thus, the position code can be 
seen as forming a virtual surface which is defined by all 
positions that the position code is capable of coding, 
different positions on the virtual surface being 
dedicated for different functions, or services/ and/or 
actors . 

The system includes, in addition to the digital 
devices and a plurality of position coded products, at 
least one look-up server running a service called a paper 
look-up service, PLS, and a plurality of application 
servers acting as actors or Application Service Handlers 
ASH in the system and executing application services. 

The look-up server uses a database to manage the 
virtual surface defined by the position code and the 
15 information related to this virtual surface, i.e. the 
functionality of every position on the virtual surface 
and the actor associated with each such position. 
Different areas, or regions, on the virtual surface are 
by the paper look-up service associated with respective 
particulars and/or data by means of management rules. In 
response to receipt of information from a digital device, 
which information corresponds to at least one position on 
the virtual surface, the PLS is arranged to identify to 
which area the coordinates of the position or positions 
25 belong and to determine how the information is to be 
managed based on the management rules for that area. 

The application server is a server effecting a 
service on behalf of a digital device, such as storing or 
relaying digital information, initiating transmission of 
30 information or items to a recipient etc. 

The above described position coded surface and the 
overall system with its operation and its enabling 
support of various functions and services to digital 
devices are further described in the published patent 
35 applications US2002/0091711 , US2003/0046256 and 

US2003/0061188, all of which have been filed by the 
present applicant and all of which are incorporated 
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herein by reference. It is to be noted that other types 
of position codes are equally possible within the scope 
of the present invention. 

The above described system is beneficial for an 
enterprise or a government authority that wants to use 
the functionality of the system for improving internal 
processes and workflows. By using the described system, 
an enterprise will be able to turn information entered by 
means of pen and paper into useful digital data. Such a 
process for transferring paper based information to 
digital data will save the enterprise a considerable 
amount of labour and time, and in the end a considerable 
amount of money. 

However, there are some drawbacks associated with 
the above system if an enterprise wants to adopt the 
system while at the same time, for- security reasons, 
retaining full control over its usage. Some of these 
drawbacks can be derived from the fact that the above 
described paper look-up service is a global service i e 
a global paper look-up service, G-PLS, that services a 
number of different actors and that is operated by an 
external party, typically by the party determining the 
allocation of different areas of the position coded 
surface to different functions and different actors . 

The enterprise can gain more or less full control 
over any application services which are for exclusive use 
by the enterprise and its associated pens if the 
application services are hosted on e.g. an intranet, 
without any participation of the global paper look-up 
service in the execution of the specific application 
service. However, the enterprise would still be dependent 
on an established communication with the global PLS, such 
as over the Internet, in order for the look-ups from the 
digital devices, or pens, to be managed correctly and in 
order to direct a device to a specific application 
service. Thus, the enterprise will not be in control of 
general digital device usage, such as look-ups being 
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performed, nor will it then be able to control the 
digital device's access to externally available services, 
since such services could be accessed by the digital 
devices via the global PLS . 

Summary of the Invention 

An object of the present invention is to provide a 
method and a server that offers an enterprise increased 
control and security, in terms of general system usage 
and service usage, when adopting the principles of a 
position coded paper based system of the kind described 
above . 

According to the invention, this object is achieved 
by a method having the features as defined in independent 
claim 1 and by an enterprise paper look-up server having 
the features as defined in independent claim 16. 
Preferred embodiments of the invention are defined in the 
dependent claims . 

The invention is based on the idea that instead of 
relying on a global paper look-up service for managing 
information and controlling and invoking application 
services, an enterprise paper look-up service is provided 
which manages a confined set of enterprise application 
services associated with respective areas included by the 
25 overall position coded surface. When receiving a request 
that includes address information of such an area, the 
enterprise paper look-up service, E-PLS, checks if the 
area address is associated with a service that the E-PLS 
manages. The E-PLS also checks if the originator of the 
30 request has the right to access the enterprise 
application service. If the area address is not 
associated with a service managed by the E-PLS, the 
request is routed to a second paper look-up service. 

This solution provides a number of advantages. The 
35 solution improves security since it enables the 

enterprise paper look-up service to operate independently 
of the global PLS, and therefore only requires 
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communication within an internal network of the 
enterprise, to which network one or more enterprise paper 
look-up services and servers executing enterprise 
application services are connected. Thus, the enterprise 
does not need to communicate with a global PLS over the 
Internet. By not including Internet resources in the 
solution the security and control of the system is not 
jeopardized. Should it be desired to be able to 
communicate with the global PLS, such communication can 
be greatly restricted and carefully monitored by means of 
communication via an enterprise firewall. Also, the 
system can more easily be adapted to any existing 
security framework of the enterprise. 

Furthermore, the enterprise will be in full control 
over what services that can be accessed by the digital 
devices, and thus in full control over the usage of the 
digital devices in the system. It is the enterprise that 
on its own determines what confined set of services that 
are managed by the enterprise look-up service and what 
specific further look-up service a service request may be 
routed to. In addition to the fact that this gives the 
enterprise control over what services that are, and can 
be, used, it also facilitates the control of costs 
generated by the system usage. The solution enables an 
enterprise centralized administration, and enables 
introduction of new services and maintenance of services 
to be performed easily and efficiently by the enterprise 
sxnce the services are managed centrally and provided so' 
as to be accessible to all digital devices associated 
30 with the enterprise. 

Advantageously, the E-PLS checks if an originator of 
a request for access to a service has the right to route 
a request via the present E-PLS to a second PLS, before 
such routing is performed. The right may be controlled 
35 by, e.g., different security levels associated with the 
services of the second PLS or the second PLS in itself 
This second PLS may be an E-PLS of another organisational 
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part of the same enterprise, an E-PLS of another 
enterprise, or the global PLS. Thus, regardless of 
whether the originator is a digital device or another E- 
PLS, this makes it possible to enable, or disable, the 
access to an E-PLS of another organisational part of the 
same enterprise, an E-PLS of another enterprise, or to 
the global PLS if such a communication path is possible. 

Furthermore, the E-PLS advantageously checks, if the 
received request for access to a service is determined to 
relate to a service managed by the E-PLS itself, that the 
digital device has the right to access this specific 
service, before granting access to the service. Thus, the 
enterprise will be able to control what digital device, 
or group of digital devices, that is/are allowed to 
access what service. Similarly, the E-PLS may check if a 
certain other E-PLS has the right to route a request for 
access to a service managed by the E-PLS in case the 
request is received from such other E-PLS. 

Further features and advantages of the invention 
will become more readily apparent from the following 
detailed description of a number of exemplifying 
embodiments of the invention. As is understood, various 
modifications, alterations and different combinations of 
features coming within the spirit and scope of the 
invention will become apparent to those skilled in the 
art when studying the general teaching set forth herein 
and the following detailed description. 

Brief Descri ption of the Drawings 

Exemplifying embodiments of the present invention 
will now be described with reference to the accompanying 
drawings, in which: 

Fig. 1 schematically shows an exemplifying system 
infrastructure developed by the applicant of the present 
35 invention; 

Fig. 2 schematically shows a system which includes 
an exemplifying embodiment of the present invention; 
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Fig. 3 shows an enterprise paper look-up server in 
accordance with an exemplifying embodiment of the 
invention; 

Fig. 4 schematically shows an exemplifying overall 
operation which includes the operation of an embodiment 
of the invention; and 

Fig. 5 is a flow chart of the operation in 
accordance with an exemplifying embodiment of the 
invention . 



Detailed Descri ption of the Invention 

Fig. 1 shows the system infrastructure developed by 
the applicant of the present invention. This 
infrastructure has been described above in the background 
15 section and will be further described below. 

The system in Fig. 1 comprises digital pens 100 
implementing digital devices and a plurality of products 
110 with a position code (not shown) covering a writing 
surface 120 and an activation icon 125. In the figure, 
only one digital pen and one product are shown. The 
system further comprises a network connection unit 130, a 
paper look-up server 140 running a paper look-up service, 
PLS, an application server 150 running an application 
service of a third party and an application server 160 
running a number of standardized application services in 
the system. In Fig. 1 the network connection unit 130 is 
exemplified with a mobile station, however, the unit 130 
could alternatively be a personal digital assistant (PDA) 
or some other suitable electronic device. Typically, the 
described system will in addition to a plurality of 
digital devices 100 and products 110 include a plurality 
of network connection units 130 and a plurality of 
application servers 150, 160. 

By detecting symbols of the coding pattern on the 
product 110, the digital pen is able to determine one or 
more absolute co-ordinates of the total, virtual surface 
that can be coded by the coding pattern. 
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The total surface is advantageously divided into a 
number of segments, each segment being divided into a 
number of shelves, each shelf being divided into a number 
of books, and each book being divided into a number of 
pages. An absolute co-ordinate, i.e. a global position on 
the total, virtual surface, will by the digital pen be 
determined to be located on a certain page, which page 
may be regarded as a logical page having local positions. 
The page may be identified using the format 1.2.3.4 
(segment. shelf. book. page), which denotes page 4 of book 
3, on shelf 2, in segment 1. This notation defines a page 
address. An area address may typically be defined by a 
page address. However, an area address may also define a 
larger area by means of a book address, e.g. 1.2.3 x 
where x denotes all pages of the specific book, a shelf 
address, 1.2.x.x, or a segment address, 1.x. x.x. It is to 
be understood that other addressing schemes are equally 
possible and that such addressing schemes also would fall 
within the scope of the present invention. 

When the user moves the digital pen 100 across the 
surface of the product 110, information is recorded by 
detecting code symbols on the surface and determining the 
corresponding absolute co-ordinates. This is accomplished 
by means of a sensor and various memory and processing 
circuitry included within the pen 100. These absolute co- 
ordinates, or the area address, typically the page 
address, to which the co-ordinates belong, are 
communicated via the mobile station 130, a mobile 
communications network 170 and the Internet 180 to the 
paper look-up service 140. Alternatively, the co- 
ordinates are communicated to a local paper look-up 
service running on a personal computer, PC, 190 in the 
close neighbourhood of the digital pen. If the personal 
computer and the digital pen are equipped with Bluetooth® 
transceivers, the digital pen 100 may communicate 
directly with the PC running the local PLS . 
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The local PLS is responsible for managing and 
providing local standardized application services, such 
as an e-mail application, a calendar application, an 
application for taking notes etc. The local PC 190 stores 
particulars about co-ordinates and pages of one or more 
confined surface areas and manages services on behalf of 
one or a very limited number of digital pens. The paper 
look-up service running on server 14 0 on the other hand 
is global and stores, in a memory or in a connected data 
base (not shown) , particulars about all the co-ordinates 
of the total surface. This also includes storing 
particulars about the pages in which the total surface is 
divided. Both the global and the local paper look-up 
service process received information, which at least 
15 include co-ordinate content or page address content, in 
accordance with the management rules that have been 
associated with a particular co-ordinate or a particular 
page address. 

For a user of a digital pen, the system is simple to 
20 use as the user does not himself need to define how 

recorded information/positions are to be managed. When 
the user initiates a communication session for 
transmission of information, the management of this 
information is controlled based on the co-ordinates that 
25 the user records and/or the page address on which the 

information was recorded by means of the digital pen 100. 

When the user of the digital pen 100 wishes to 
initiate transmission of information he "ticks" the 
activation icon 125. The recording of at least one 
position of the activation icon will then be recognised 
by the digital pen 100 as a co-ordinate of a send area, 
which send area is associated with a particular send 
instruction. By default, this send instruction includes 
the address of a predefined paper look-up service, either 
35 the global service of server 140 or the local service of 
the PC 190. Alternatively, two send areas may exist, one 
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associated with the global service and one with the local 
service. 

The digital pen 100 and the global/local paper look- 
up service communicate by means of a pen protocol which 
5 is a proprietary protocol of the applicant of the present 
invention. For a more detailed description of the pen 
protocol and the communication between a digital pen and 
a paper look-up service reference is made to the patent 
application US2003/0055865, which is incorporated herein 
10 by reference. 

Fig. 2 schematically shows a system which includes 
an embodiment of the present invention. The system has a 
hierarchical configuration with three enterprise paper 
look-up servers 200, 210, 220, executing respective 
15 enterprise paper look-up services E-PLS1, E-PLS2, E-PLS3, 
and three application servers 205, 215, 225, executing 
respective confined sets of enterprise application 
services E-AS1, E-AS2, E-AS3. 

Each enterprise service manages its own pens 207, 
217, 227, registered with the service and its own 
application services. Typically, an enterprise paper 
look-up service manages enterprise application services 
that are executed on an application server which is 
connected to the server of the enterprise paper look-up 
service over a local area network. Thus, E-PLS1, with 
which pens 207 are registered, and which executes on 
server 200, manages E-AS1 executing on server 205, and E- 
PLS2, with which pens 217 are registered, manages E-AS2, 
and so on. 

30 Fig. 2 also depicts a global paper look-up server 

230 executing a global paper look-up service, G-PLS, and 
an application server 235 executing application services 
which also can be regarded as being global, and therefore 
denoted G-AS. In the figure, E-PLS2 is able to 
communicate with the G-PLS over an enterprise firewall 
240 and the Internet 250. 
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The operation of an enterprise paper look-up service 
is similar to that of the global paper look-up service, 
the latter sometimes only referred to herein as paper 
look-up service, PLS. The E-PLS distinguishes itself from 
the G-PLS in that it, e.g., may be configured to only 
communicate within a local area network (LAN) or to only 
communicate within the LAN and with one or more specific 
secondary E-PLSs outside the LAN. Such a secondary E-PLS 
may belong to the same enterprise or a different 
enterprise. Of course it is possible that the E-PLS and a 
secondary E-PLS are connected to the same LAN or a same 
Wide Area Network. In Fig. 2, even though not depicted, 
E-PLS1 and E-AS1 could be connected to a LAN without any 
connections to any other servers, and, thus, defining an 
enterprise's 201 own, isolated, version of the system 
infrastructure developed by the present applicant and as 
described above. As a further example, E-PLS1, E-PLS2 and 
E-PLS3 could be the PLSs of respective parts of the same 
enterprise sharing the same LAN or having their own LANs 
which are interconnected with each other. 

Another difference between an E-PLS and the G-PLS is 
that it is the enterprise itself that is responsible for 
operation, maintenance, support and administration of its 
own enterprise paper look-up server. Thus, the enterprise 
25 itself administers the database used for storing 

management rules related to its enterprise application 
services, registration and maintenance of its associated 
digital pens, availability of internal and external 
application services, access rights to internal and 
external application services etc. 

It is more efficient for an enterprise to use an E- 
PLS than to use a number of local paper look-up services. 
If the enterprise were to use a number of PCs executing 
local paper look-up services, access to general 
application services within the enterprise could only be 
accomplished with additional software on each client 
machine executing the local PLS, something which makes 
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the system more difficult to support and administrate, in 
particular in terms of adding nodes or services in the 
system. 

Furthermore, by using local PLSs, there would be no 
5 simple way of accessing the enterprise services through 
any other node than the PC implementing the local PLS, 
something which would put limits on a pen user's 
possibility to connect to the internal network and access 
an enterprise application service via a mobile station 
10 and a mobile communication networks in a manner as 
described above . 

Advantageously, the communication between a digital 
pen and an E-PLS is secure and based on, e.g., a 
symmetric encryption key that is unique for each pen. The 
15 E-PLS is also arranged to be able to perform 

authentication of a digital pen. Similarly, the 
communication between different E-PLSs, or possibly 
involving the G-PLS, is secure by means of encryption 
keys, and an E-PLS is able to authenticate another E-PLS. 

In figure 2, the possibility of connecting E-PLSs in 
a hierarchy has been illustrated. In this exemplified 
hierarchy, an E-PLS is able to communicate with the G-PLS 
over a firewall 240 and an external network in the form 
of the Internet 250. The E-PLSs of the hierarchy could 
belong to different enterprises or to different 
divisions/departments within the same enterprise. 

Fig. 3 shows an enterprise paper look-up server 300 
in accordance with an exemplifying embodiment of the 
invention. The E-PLS 300 shown in Fig. 3 may, e.g., be 
configured to execute either one of the enterprise paper 
look-up services E-PLS1, E-PLS2 or E-PLS3 in Fig. 2. The 
enterprise paper look-up server 300 includes first 
storing means 310, interface means 320, 340, second 
interface means 330, second storing means 340 and 
processing means 350. First and second storing means may 
be implemented by means of any readily available memory 
device, such as RAM, ROM or the like or a hard disk 
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drive. The different interface means may be implemented 
by any kind of interface hardware circuitry which enable 
the paper look-up server to communicate by means of a 
TCP/IP protocol stack or any other protocol stack 
implementing a commercial or proprietary protocol chosen 
for the communication with the various entities as 
described below. The processing means may be implemented 
by any suitable, commercially available microprocessor, 
or, alternatively, an Application Specific Integrated 
Circuit, or corresponding circuit, specifically designed 
for controlling the functioning of the paper look-up 
server. 

The processing means 350 executes a look-up service 
which, in correspondence with the operation of a G-PLS, 
operate to map a certain area of the coding pattern, such 
as the area defining an activation icon, to a network 
address, such as a URL on an Intranet, for a certain 
application service. A database 3 60 accessed by the 
processing means is used for storing management rules and 
various data defining and controlling associations 
between different coded surface areas and different 
enterprise application services managed by E-PLS 300. The 
database 360 also stores information controlling which 
pens that have the right to access which services. 
25 In a simple configuration, the first storing means 

310 is implemented by means of a table in which an area 
address entry of the table corresponds to a specific URL 
of an application service associated with the area 
address. The table is either stored in a separate memory 
circuit or in the database 360. For example, it is shown 
in Fig. 3 that the surface area defined by all pages of 
segment 1, shelf 2, book 4 (denoted 1.2.4.*) is 
associated with URL1, and that the specific page denoted 
1.2.5.2 is associated with URL 2. URL 1 and URL 2 are the 
35 network addresses of application services executed by the 
same, or two different, enterprise application servers 
connected to the same local enterprise network as the E- 
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PLS 300, i.e. to the same Intranet or at least the same 
LAN. 

The interface means 320 is a device interface which 
is arranged to communicate with digital devices, e.g. 
5 digital pens. As described above, this communication uses 
a proprietary pen protocol, PP, which in turn uses the 
proprietary secure pen protocol, SPP, and the hypertext 
transfer protocol, http. Typically, this device interface 
is used by the E-PLS 300 for receiving requests from its 
10 registered digital pens, which requests include area 

addresses defining certain position coded areas, and for 
responding to the digital pens with information relating 
to application services associated with these area 
addresses, such information at least including the 
network address, such as an URL, to be used for accessing 
the service. This information may typically also include 
such things as what kind of data that the device is 
required to transmit to the application service in order 
for the service to be executed, e.g. user data stored in 
the pen or data recorded from a certain writing surface 
area . 

The interface means 340 is also known as an Inter 
PLS look-up interface and is used for communication 
between different PLSs. The Inter PLS look-up interface 
340 is in the figure depicted as including stored 
associations between different area addresses and E- 
PLS/G-PLS. In practice, these associations are stored by 
the second storing means being located anywhere in server 
300 and accessible by the processing means 350, either in 
a separate memory circuit or in the database 360. 

The E-PLS 300 uses the Inter PLS look-up interface 
340 when it cannot find an application service associated 
with an area address of a received request in the first 
storing means 310. The request is then routed to a second 
35 PLS, either another E-PLS or the G-PLS, in accordance 

with the associations stored by the second storing means 
340. The routing is performed by the processing means 350 
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by way of operating on the second storing means 340. 
Thus, the combination of the processing means 350 and the 
second storing means 340 forms the routing means of the 
E-PLS 300. The second storing means 340 may also include 
5 a network address of a default E-PLS to which a request 
may be routed. This default E-PLS may constitute the only 
second E-PLS to which requests can be routed, or it can 
co-exist with other secondary PLSs and be used when there 
is no other secondary PLS that is associated with an area 
10 address of the request which is to be routed. 

Furthermore, the E-PLS may also receive requests 
over the Inter PLS look-up interface, which requests have 
been routed from another E-PLS. In the same way as when 
receiving a request over the device interface 320, the E- 
PLS 300 will check in the first storing means 310 for an 
application service associated with the area address of 
such a request from another E-PLS. If such application 
service is found, the network address thereof is returned 
to the requesting E-PLS. The E-PLS will also examine a 
list of E-PLS identities received in a request. These 
identities indicate which E-PLSs that have been traversed 
by the request. If the E-PLS receiving the request finds 
its own identity in the list, this indicates that a loop 
has occurred among the E-PLSs. The request will then be 
25 denied, thereby resolving the loop. 

The parameters that the E-PLS 300 may receive in a 
request, or look-up request, over the Inter PLS look-up 
interface 34 0, and which has been routed from another E- 
PLS, are exemplified in the non-exhaustive list below. 



35 



Request parameter Description 

requesterld -the identity of the device. 

transactionid -the identity of the transaction ' 

that triggered the request. 



penid 



-the identity of the pen 
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pageAddress 
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that triggered the request. 

-the identities of the PLSs 
traversed by the request. 

-the page address derived 
from the pen stroke that 
triggered the request. 

-the identity of the activation 
icon in which pen stroke were 
made to trigger the request. 



15 



The information that the E-PLS may return over the 
Inter PLS look-up interface 340 to the requesting E-PLS 
are exemplified in the non-exhaustive list below. 



Information element 
20 status 



Description 

-indicates status of service, 
e.g. locked, not active, not 
found, access denied. 



25 



name 



-the name of the service as 
presented to a pen user. 



URL 



-the URL for the application 
service . 



30 security 



-the level of security imposed 
by the application service, e.g, 
no security, or encryption with 
supplied key. 



35 ticket 



-an authentication ticket if 
such security is required. 
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-a public key used if security 
implies encryption. 

-data stored by the pen, so 
called pen properties, which the 
service can read. 



10 



mand 



licensedPattern 



-mandatory pen properties that 
the service requires. 

-a page address defining what 
surface area the service can 
read from. 
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As is understood, the PLS associations stored in the 
second storing means 34 0 are configurable and will define 
the position of E-PLS 300 in a hierarchy of E-PLSs. Thus, 
by means of the second storing means and the Inter PLS 
look-up interface, E-PLS 300 may be configured to operate 
as either one of E-PLS1, E-PLS2 or E-PLS3 shown in Fig. 
2. 

The second interface means 330 is an Inter PLS 
system interface via which the E-PLS 300, e.g. at regular 
intervals, can ask its parent PLS for template updates. 
For example, in the hierarchy in Fig. 2, E-PLS2 is a 
parent PLS to E-PLS1 and to E-PLS3 . This hierarchy is 
predefined upon configuration of the E-PLSs in the system 
by means of allocating, if desired, a parent PLS to an E- 
PLS. Upon receiving a template update in a response from 
the parent PLS over the same interface, the processing 
means 350 can extract e.g. new management rules or other 
new data from the template update, which rules and data 
are to be stored in the first storing means 310 or the 
database 360. The E-PLS 300 may also from a template 
update extract new values for data to be stored in a pen, 
which pen is updated with this data following its next 
request to the E-PLS 300 via the device interface 320. 
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The parent PLS can be another E-PLS or the G-PLS. This 
enables the E-PLS 300 to also ask a parent PLS for a 
template update with data of a coded surface area that it 
currently has knowledge of. 

Finally, the E-PLS 300 includes an E-PLS 
administration interface 370 via which an enterprise 
maintains and controls its E-PLS 300. The control may 
relate to the settings of the second storing means 34 0 
for defining the position of the E-PLS in the hierarchy 
of E-PLS S/ the access to and from other E-PLS S/ and so 
on, in addition to general E-PLS security management. An 
operator of the enterprise preferably performs the 
administration by means of a web application executing 
within E-PLS 300. 

An exemplifying mode of operation of the present 
invention will now be described with reference to Figs 4 
and 5. Fig. 4 correspond to the same hierarchy of PLSs as 
previously described with reference to the embodiment of 
Fig. 2, but with an illustration of the 

data/communication flow of the exemplified operation now 
to be described. Fig. 5 shows a flow chart with a number 
of operational steps, which flow chart illustrates some 
of the possible alternative flows that the operation of 
an E-PLS might undertake according to various embodiments 
25 thereof. 

The overall operation starts when a pen user uses 
his pen 207 and "ticks" an activation icon on a position 
coded surface which is associated with an enterprise 
service. The pen 207 encrypts the request, except for the 
identity of the pen, using its own unique symmetrical 
cryptographic key, and sends the request to the E-PLS 
with which it is registered, also called the pen home 
PLS, in this case to E-PLS1. 

The E-PLS1 receives (step SI) the request from the 
pen and extracts a non-encrypted identity of the pen. It 
then uses the pen identity to retrieve the pen's 
symmetrical cryptographic key with which it decrypts 
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(step 82) the rest of the request and extracts an 
included area address of the surface area that the ticked 
activation icon belongs to. The E-PLS1 then checks (step 
S3) if the area address corresponds to a service in its 
list of managed enterprise application services E-AS1. 

If a corresponding service is found, the E-PLS1 will 
check (step 34) if the requesting pen has a right to 
access the specific service. This check may, e.g., be 
performed by means of a stored two-dimensional matrix 
formed by the digital pens registered with the E-PLSl'and 
the services managed by the E-PLS1, which matrix stores 
indications of which pens that have the right to access 
which services. Either the pen has the right to access 
the service, in which case the E-PLS1 will reply by 
sending (step S5) a URL for the service back to the pen, 
or the pen does not have the right, in which case the E- 
PLS1 respond (step S9) to the pen with an access denied. 

Assuming in this example that there is no match in 
the list of services, the E-PLS1 will then check (step 
20 S6) if the area address match a second PLS in its list of 
externally available PLSs. Alternatively, or if there is 
no match, the E-PLS1 may check (step S7) if there is an 
external available default PLS. If there is no available 
default PLS, the E-PLS1 respond (step S9) to the pen with 
an access denied message. However, if there is an 
externally available matching PLS or default PLS, it is 
checked (step S8) if the pen has the right to cause 
routing of a request to the matching or default PLS. Also 
this check may be performed by means of a two-dimensional 
matrix, which matrix is formed by the registered digital 
pens and the PLSs to which the E-PLS1 is configured to be 
able to route a request. Should such routing not be 
allowed, the E-PLS1 respond (step S9) to the pen with an 
access denied message. 

If routing to the matching or default PLS is 
allowed, the request is encrypted and routed (step S10) 
to the matching second PLS (or the default PLS) . This 
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request, or look-up request, includes the requesting E- 
PLSl's identity, the requesting pen's identity and the 
area address to which the activation icon belongs etc In 
this case the E-PLS2 receives the request (once again 
5 step SI, but within the operation of E-PLS2) , decrypts 
and authenticates it (step S2), and checks (step S3) if 
the area address" corresponds to a service in its list of 
managed enterprise application services. Assuming there 
13 3 matCh ' the E " PLS2 ^cks (step S8) that the service 
10 is not locked and that the requesting E-PLS1 has the 
right to cause routing of a request to the matching 
enterprise application service E-AS2 . The E-PLS2 then 
replies to the requesting E-PLS1 with information that 
includes the URL for the matching service together with 
15 other information elements as described above with 
reference to Fig. 3. 

The requesting E-PLS1 thus receives a response to 
xts request from E-PLS2 (step Sll, again within the 
operation of E-PLS1) and sends a response to the 
20 requesting pen 207. The response to the pen includes the 
URL for the matching service together with other 
information regarding, e.g., what kind of data that the 
device is required to transmit to the application service 
in order for the service to be executed, e.g. user data 
25 stored in the device or data recorded from a certain 

wrxting surface area. The pen 207 then uses the URL, and 
the other received information, to send a request to the 
enterprise application service E-AS2, which service 
processes the request and replies to the pen 207. 
30 it is evident from the flow chart of Fig. 5 and 

from other parts of this invention disclosure, that a 
great number of alternative operation flows are possible 
while still falling within the scope of the appended 
claims and within the overall spirit and scope of the 
35 present invention. 
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CLAIMS 

1. A method of responding to a request for access to 
an application service, the application service being 
deployed in a system that associates a specific area of a 
5 position coded surface with an application service by 
means of an area address, the method including: 

providing a first enterprise paper look-up service 
which manages a confined set of one or more enterprise 
application services associated with respective area 
10 addresses; 

receiving, from an originator, a request including 
an area address; 

checking, if the area address is associated with an 
enterprise application service managed by the first 
15 enterprise paper look-up service, that the originator of 
the request has the right to access the enterprise 
application service, before enabling access to the 
service; and 

routing, based on the area address, the request to a 
second paper look-up service if the area address is not 
associated with an enterprise application service managed 
by the first enterprise paper look-up service. 

2. The method of claim 1, wherein the routing step 
25 includes the step of selecting a second paper look-up 
service, among a plurality of paper look-up services, 
that is associated with the area address of the request. 



20 



30 



3. The method as claimed in claim 2, wherein the 
selecting step is based on a step of matching the 
received area address with one of the area addresses 
which by the enterprise paper look-up service are 
associated with respective second paper look-up services 



4. The method as claimed in any one of claims 1-3, 
wherein the routing step includes the step of selecting a 
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second paper look-up service that defines a default paper 
look-up service. 

• 5. The method as claimed in any one of claims 1-4 
including checking that the originator of the request has 
the right to cause routing of a request to the second 
paper look-up service, wherein said routing step only is 
completed if this right is confirmed. 

6. The method as claimed in any one of claims 1-5, 
including: 

receiving a response from the second paper look-up 
service; 

extracting information related to the application 
15 service associated with the area address from the 
response; and 

responding to the originator of the request by 
transferring said information to the originator. 

7. The method as claimed in any one of claims 1-6 
including determining that the originator is a digital 
device of the kind which is arranged to detect positions 
of the position coded surface, or a network connection 
unit in communication with such a digital device, which 
digital device is registered by the first enterprise 
paper look-up service. 
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25 



30 



8. The method as claimed in any one of claims 1-6, 
including determining that the originator is another 
enterprise paper look-up service. 

9. The method as claimed in claim 6, wherein the 
information includes a network address designating the 
application service. 
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10. The method as claimed in claim 9, wherein the 
network address is designated by means of a Uniform 
Resource Locator. 

11. The method as claimed in claim 6, wherein the 
information includes designations of mandatory data that 
the application service requires access to during its 
execution. 

12. The method as claimed in any one of claims 1 - 
11, wherein the second paper look-up service is another 
enterprise paper look-up service. 



15 



20 



25 



35 



13. The method as claimed in any one of claims 1 - 
11, wherein the second paper look-up service is a global 
paper look-up service providing world wide services to 
enterprise paper look-up services operated by various 
organisations, such as enterprises or government 
authorities . 

14. The method as claimed in any one of claims 1 - 
13, wherein the first paper look-up service together with 
the second paper look-up service is included in a 
hierarchy of paper look-up services. 



15. The method as claimed in any one of claims 1 - 
14, wherein the first enterprise paper look-up service 
performs the additional steps of: 

requesting a global paper look-up service to provide 
30 any template updates; and 

receiving a template update in response and 
extracting from the template update new management rules 
relating to at least one confined position coded surface 



area . 



16. An enterprise paper look-up server for 
responding to a request for access to an application 
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service, the application service being deployed in a 
system that associates a specific area of a position 
coded surface with an application service by means of an 
area address, the enterprise server including: 
5 first storing means for storing associations between 

area addresses and respective enterprise application 
services defining a confined set of services managed by 
the enterprise server; 

interface means for receiving, from an originator, a 
10 request including an area address; 

processing means for checking, if the area address 
is associated with an enterprise application service 
managed by the enterprise paper look-up service itself, 
that the originator of the request has the right to 
access the enterprise application service, before 
enabling access to the service; and 

routing means for routing, by means of the 
processing means and based on the area address, the 
request to a second paper look-up server if the area 
address is not associated with an enterprise application 
service managed by the enterprise paper look-up service 
itself. 



15 
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25 



17. The enterprise server as claimed in claim 16, 
which server includes second storing means for storing 
associations between area addresses and respective second 
paper look-up servers, and wherein the processing means 
is arranged for selecting a specific second paper look-up 
service which is associated with the area address of the 

30 request. 

18. The enterprise server as claimed in claim 16 or 
17, wherein the processing means is arranged to select a 
second paper look-up server that defines a default paper 

35 look-up server. 
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19. The enterprise server as claimed in any one of 
claims 16 - 18, wherein the processing means further is 
arranged for checking that the originator of the request 
has the right to cause routing of a request to the second 
paper look-up server, before said routing means completes 
the routing of the request. 

20. The enterprise server as claimed in any one of 
claims 16 - 19, wherein said interface means further is 
arranged for receiving a response with information from 
the second paper look-up server and for responding to the 
originator of the request by transferring said 
information to the originator. 

21. The enterprise server as claimed in any one of 
claims 16 - 20, wherein the processing means further is 
arranged for determining that the originator is a digital 
device of the kind which is arranged to detect positions 
of the position coded surface, or a network connection 
unit in communication with such a digital device, which 
digital device is registered at the enterprise paper 
look-up server. 



22. The enterprise server as claimed in any one of 
25 claims 16 - 21, wherein the processing means further is 
arranged for determining that the originator is another 
enterprise paper look-up server. 



23. The enterprise server as claimed in any one of 
claims 20 - 22, wherein the information include a netwo, 
address designating the application service. 



24. The enterprise server as claimed in claim 23 
wherein the network address is designated by means of a 
35 Uniform Resource Locator. 
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25. The enterprise server as claimed in any one of 
claims 20 - 23, wherein the information include 
designations of mandatory data that the application 
service requires access to during its execution. 

5 

26. The enterprise server as claimed in any one of 
claims 16 - 25, wherein the second paper look-up server 



is another enterprise paper look-up server. 



27. The enterprise server as claimed in any one of 
claims 16-25, wherein the second paper look-up server 
xs a global paper look-up server providing world wide 
services to enterprise paper look-up servers operated by 
various organisations, such as enterprises or government 
15 authorities. 



28. The enterprise server as claimed in any one of 
claims 16-27, which together with the second paper 
look-up server is included in a hierarchy of paper look- 

2 0 up servers. 

29. The enterprise server as claimed in any one of 
claims 16 - 28, further including: 

second interface means for requesting a global paper 
look-up service to provide any template updates and for 
receiving a template update in response thereto, 

wherein said processing means is arranged for 
extracting from the template update new management rules 
relating to at least one confined position coded surface 
30 area. 
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